Standalone API Client prioritizes security while maintaining ease of use. This document outlines security considerations and best practices.

• SHA-256 Hashing: Passwords are hashed using SHA-256 before comparison
• Session-Based: Authentication expires on page refresh
• Default Password: admin123 (hash: 240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9)
• ⚠️ IMPORTANT: Change the default password immediately in production

• Client-Side Only: All data stored in browser's localStorage
• No Server Communication: No data sent to external servers (except your API calls)
• Optional Encryption: Sensitive requests can be encrypted before localStorage storage
• Local Backups: Auto-backup exports can be stored locally

• Local Proxy Recommended: Runs on localhost:8080 for maximum security
• No Third-Party Logging: When using local proxy, no third parties see your data
• Warning for Public Proxies: Clear warnings about security risks of public CORS proxies

• ✅ Protection against casual access
• ✅ Development and testing tool for APIs
• ✅ Secure local storage of API configurations
• ✅ Safe handling of API credentials when using local proxy

• ❌ Not enterprise-grade authentication
• ❌ Not suitable for multi-user environments without modifications
• ❌ Not a replacement for server-side security
• ❌ Not secure against determined attackers with physical access

1. Change Default Password

   • Follow instructions in PASSWORD_SETUP.md
   • Use a strong, unique password
   • Keep your password hash secure

2. Use Local CORS Proxy

   • Always prefer the local proxy (localhost:8080)
   • Avoid public CORS proxies for sensitive APIs
   • See CORS_PROXY_EXPLAINED.md

3. Enable Encryption

   • Check "Encrypt" when saving sensitive requests
   • Use for requests containing API keys, tokens, or sensitive data

4. Regular Backups

   • Enable auto-backup in Settings
   • Store backup files securely
   • Don't share backup files containing sensitive data

5. Lock When Not in Use

   • Click the "🔒 Lock" button when stepping away
   • Authentication expires on page refresh automatically

1. Use Environment-Specific Instances

   • Each developer should have their own copy
   • Don't share the same passwordHash across team

2. Version Control

   • Don't commit exported request files containing real credentials
   • Add sensitive exports to .gitignore
   • Use placeholder API keys in examples

3. Code Review

   • Review password changes before deployment
   • Audit stored requests for sensitive data
   • Check CORS proxy configuration

If you discover a security vulnerability:

1. DO NOT open a public issue
2. Email security concerns to: [your-email@example.com]
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will respond within 48 hours and work on a fix promptly.

• Security patches are released as soon as possible
• Users are notified via GitHub releases
• Check the Releases page regularly

This tool is provided "as is" without warranty. Users are responsible for:

• Securing their own password hashes
• Protecting their API credentials
• Following security best practices
• Ensuring compliance with their organization's security policies

By using this tool, you acknowledge:

• It's designed for development/testing, not production secrets management
• You're responsible for the security of your data
• The maintainers are not liable for any security breaches or data loss

• Password Setup Guide - How to change your password
• CORS Proxy Explained - Understanding proxy security
• README - General documentation

Stay secure! 🔒